Author: Robin Hopkins

Above and below the waterline: IPT finds that Prism and Tempora are lawful

Posted on | by Robin Hopkins

The now famous revelations by US whistleblower Edward Snowden focused on US government programmes under which vast amounts of data about individuals’ internet usage and communications were said to have been gathered. The allegations extended beyond the US: the UK government and security agencies, for example, were also said to be involved in such activity.

Unsurprisingly, concerns were raised about the privacy implications of such activity – in particular, whether it complied with individuals’ rights under the European Convention on Human Rights (privacy under Article 8; freedom of expression under Article 10).

The litigation before the Investigatory Powers Tribunal

Litigation was commenced in the UK by Privacy International, Liberty, Amnesty International and others. The cases were heard by a five-member panel of the Investigatory Powers Tribunal (presided over by Mr Justice Burton) in July of this year. The IPT gave judgment ([2014] UKIPTrib 13_77-H) today.

In a nutshell, it found that the particular information-gathering activities it considered – carried out in particular by GCHQ and the Security Service – are lawful.

Note the tense: they are lawful. The IPT has not determined whether or not they were lawful in the past. The key difference is this: an essential element of lawfulness is whether the applicable legal regime under which such activity is conducted is sufficiently accessible (i.e. is it available and understandable to people?). That turns in part on what the public is told about how the regime operates. During the course of this litigation, the public has been given (by means of the IPT’s open judgment) considerably more detail in this regard. This, says the IPT, certainly makes the regime lawful on a prospective basis. The IPT has not determined whether, prior to these supplementary explanations, the ‘in accordance with the law’ requirement was satisfied.

With its forward-looking, self-referential approach, this judgment is unusual. It is also unusual in that it proceeded to test the legality of the regimes largely by references to assumed rather than established facts about the Prism and Tempora activities. This is because not much about those activities has been publicly confirmed, due to the ‘neither confirm nor deny’ principle which is intrinsic to intelligence and security activity.

Prism

The first issue assessed by reference to assumed facts was called the “Prism” issue: this was about the collection/interception by US authorities of data about individuals’ internet communications and the assumed sharing of such data with UK authorities, who could then retain and use it. Would this arrangement be lawful under Article 8(2) ECHR? In particular, was it “in accordance with the law”, which in essence means did it have a basis in law and was it sufficiently accessible and foreseeable to the potentially affected individuals? (These are the so-called Weber requirements, from Weber and Saravia v Germany [2008] 46 EHRR SE5).

When it comes to intelligence, accessibility and foreseeability are difficult to achieve without giving the game away to a self-defeating extent. The IPT recognised that the Weber principles need tweaking in this context. The following ‘nearly-Weber’ principles were applied as the decisive tests for ‘in accordance with the law’ in this context:

“(i) there must not be an unfettered discretion for executive action. There must be controls on the arbitrariness of that action.

(ii) the nature of the rules must be clear and the ambit of them must be in the public domain so far as possible, an “adequate indication” given (Malone v UK [1985] 7 EHRR 14 at paragraph 67), so that the existence of interference with privacy may in general terms be foreseeable.”

Those tests will be met if:

“(i) Appropriate rules or arrangements exist and are publicly known and confirmed to exist, with their content sufficiently signposted, such as to give an adequate indication of it.

(ii) They are subject to proper oversight.”

On the Prism issue, the IPT found that those tests are met. The basis in law comes from the Security Service Act 1989, Intelligence Services Act 1994 and the Counter-Terrorism Act 2008. Additionally, the Data Protection Act 1998 DPA, the Official Secrets Act 1989 and the Human Rights Act 1998 restrain the use of data of the sort at issue here. Taken together, there are sufficient and specific statutory limits on the information that each of the Intelligence Services can obtain, and on the information that each can disclose.

In practical terms, there are adequate arrangements in place to safeguard against arbitrary of unfettered use of individuals’ data. These included the “arrangements below the waterline” (i.e. which are not publicly explained) which the Tribunal was asked to – and did – take into account.

Oversight of this regime comes through Parliament’s Intelligence and Security Committee and the Interception of Communications Commissioner.

Further, these arrangements are “sufficiently signposted by virtue of the statutory framework … and the statements of the ISC and the Commissioner… and as now, after the two closed hearings that we have held, publicly disclosed by the Respondents and recorded in this judgment”.

Thus, in part thanks to closed evidence of the “below the waterline” arrangements and open disclosure of more detail about those arrangements, the Prism programme (on the assumed facts before the IPT) is lawful, i.e. it is a justified intrusion into Article 8 ECHR rights.

The alleged Tempora interception operation

Unlike the Prism programme, the second matter scrutinised by the IPT – the alleged Tempora programme – involved the interception of communications by UK authorities. Here, in contrast to Prism (where the interception is done by someone else), the Regulation of Investigatory Powers Act 2000 is pivotal.

This works on a system of warrants for interception. The warrants are issued under section 8 of RIPA (supplemented by sections 15 and 16) by the Secretary of State, rather than by a member of the judiciary. The regime is governed by the Interception of Communications Code of Practice.

The issue for the IPT was: is this warrant system (specifically, the section 8(4) provision for ‘certified’ warrants) in accordance with the law, for ECHR purposes?

This has previously been considered by the IPT in the British Irish Rights Watch case in 2004. Its answer was that the regime was in accordance with the law. The IPT in the present cases re-examined the issue and took the same view. It rejected a number of criticisms of the certified warrant regime, including:

The absence of a tightly focused, ‘targeting’ approach at the initial stages of information-gathering is acceptable and inevitable.

There is no call “for search words to be included in an application for a warrant or in the warrant itself. It seems to us that this would unnecessarily undermine and limit the operation of the warrant and be in any event entirely unrealistic”.

There is also “no basis for objection by virtue of the absence for judicial pre-authorisation of a warrant. The United Kingdom system is for the approval by the highest level of government, namely by the Secretary of State”.

Further, “it is not necessary that the precise details of all the safeguards should be published, or contained in legislation, delegated or otherwise”.

The overall assessment was very similar as for Prism: in light of the statutory regime, the oversight mechanisms, the open and closed evidence of the arrangements (above and below the “waterline”) and additional disclosures by the Respondents, the regime for gathering, retaining and using intercepted data was in accordance with the law – both as to Article 8 and Article 10 ECHR.

Conclusion

This judgment is good news for the UK Government and the security bodies, who will no doubt welcome the IPT’s sympathetic approach to the practical exigencies of effective intelligence operations in the digital age. These paragraphs encapsulate the complaints and the IPT’s views:

“158. Technology in the surveillance field appears to be advancing at break-neck speed. This has given rise to submissions that the UK legislation has failed to keep abreast of the consequences of these advances, and is ill fitted to do so; and that in any event Parliament has failed to provide safeguards adequate to meet these developments. All this inevitably creates considerable tension between the competing interests, and the ‘Snowden revelations’ in particular have led to the impression voiced in some quarters that the law in some way permits the Intelligence Services carte blanche to do what they will. We are satisfied that this is not the case.

159. We can be satisfied that, as addressed and disclosed in this judgment, in this sensitive field of national security, in relation to the areas addressed in this case, the law gives individuals an adequate indication as to the circumstances in which and the conditions upon which the Intelligence Services are entitled to resort to interception, or to make use of intercept.”

11KBW’s Ben Hooper and Julian Milford appeared for the Respondents.

Robin Hopkins @hopkinsrobin

Information Rights: imminent developments

Posted on | by Robin Hopkins

Like any self-respecting Panopticon, this website keeps tabs on imminent developments in its fields of interest. Here are some of the major cases to look out for in the information rights field.

State surveillance and the Prism/Tempora programmes

The obtaining, use and retention of personal data by state agencies has come under intense scrutiny since Edward Snowden’s revelations about the Prism/Tempora programmes. Litigation brought in the UK by Privacy International and Liberty against GCHQ and others reaches a head tomorrow, when the Investigatory Powers Tribunal gives judgment in that case.

Google Spain – and beyond

The Google Spain ‘right to be forgotten’ judgment has been one of the major events of 2014, in information rights terms. How is the right to be forgotten supposed to be applied in practice? The authoritative Article 29 Working Party (the cross-EU panel established under Article 29 of the DP Directive) has now given definitive guidance on how regulators should deal with such matters: see its guidelines adopted on 26 November.

Additionally, in X & Y v Google France the French Court (the Paris Tribunal de Grande Instance) has saddled Google with liability (on pain of monetary penalties) for defamation, in that google.com continued to provide links to Facebook and other webpages containing defamatory material. See this comment from Wiggin LLP on this case.

Domestic privacy/data protection litigation against Google

The case of Vidal-Hall v Google Inc saw Mr Justice Tugendhat grant permission to serve a claim extra-territorially. In so doing, he made a number of potentially significant observations about data protection and the privacy impact of Google’s activities through Apple’s Safari browser. The Court of Appeal is considering the appeal against the Tugendhat judgment next week. The ICO has been granted permission to intervene.

Police information

This week, the Supreme Court has heard appeals in the Catt and T cases, which concern the application of Article 8 ECHR and the DPA to information retained by the Metropolitan Police about persons who were not said to have committed criminal offences.

Next week, the Court of Appeal hears the case of Commissioner of Police of the Metropolis & X v Z (Children) & the Secretary of State for the Home Department, which concerns whether DNA profiles obtained under Part II of PACE (police powers to gather evidence from crime scenes) may lawfully be disclosed for purposes other than criminal law enforcement.

Medical information and confidentiality

Permission has also been granted to appeal in W and Others v Secretary of State for Health and Another [2014] EWHC 1532 (Admin), which concerns the disclosure of by the NHS of information about unpaid NHS debts by non-UK residents to departments of the UK government. One of the issues is the extent (if any) to which patient confidentiality applies to such information.

Panopticon understands that the British Medical Association has been given permission to intervene, and that the case will be before the Master of the Rolls (among others). The case is due to be heard next spring.

MPs’ expenses and the meaning of ‘information’ for FOIA purposes

Another case due before the Court of the Appeal (including the Master of the Rolls) next spring is IPSA v Information Commissioner, which concerns a FOIA request by Ben Leapman (then of the Daily Telegraph) for copies of original receipts submitted by a number of named MPs in support of their expenses claims. Issues include the meaning of ‘information’ for the purposes of FOIA.

The EIRs – public authorities and charges

The Fish Legal litigation – concerning the meaning of a ‘public authority’ for EIR purposes – has returned from the CJEU and has been heard by the Upper Tribunal. Piggy-backing onto this case are other appeals concerning whether the Duchy of Cornwall and the Sovereign are public authorities for EIR purposes.

In the opposite direction of travel, the CJEU will next week consider the case of East Sussex CC v ICO & LGA, a referral from the Tribunal on the question of reasonable charges for the provision of information under the EIRs.

As ever, watch this space.

Panopticon is also pleased to highlight the heavy presence of 11KBW counsel in the majority of the cases referred to above.

Robin Hopkins @hopkinsrobin

Public access to local authority information: transparency with teeth

Posted on | by Robin Hopkins

The Freedom of Information Act and Environmental Information Regulations are the dominant statutory regimes for public transparency, but they are of course not the only ones. A good example is the regime under the Local Government Act 1972 (as amended), particularly sections 100A-K. Those provisions govern public access to local authority meetings, as well as the public availability of minutes, reports, background documents and so on for such meetings, subject to provisions for exempt information (Schedule 12A).

A recent judgment of the Admin Court (Cranston J) in a planning matter, Joicey v Northumberland County Council [2014] EWHC 3657 (Admin) illustrates the importance of compliance with that regime for public access to information.

The claimant challenged the local authority’s grant of planning permission for a wind turbine. One of his grounds was its failure to make available the noise assessment report which had been considered in the granting of permission, contrary to the provisions of the 1972 Act referred to above, and also in breach of the council’s Statement of Community Involvement.

The Council had argued that the report, being on its files, was duly available. Cranston J disagreed: “it was not open to inspection by members of the public since the files were in such a state that the duty officer on 1 November fetched what must have been a Brackenside file, but not one with the report. If the Council cannot organize its files in a way which means the duty officer is able to produce a particular report within a reasonably practicable time the report is not available” (paragraph 44). This is a compelling warning to public authorities to make sure relevant information is properly (rather than technically or hypothetically) available where required.

Here is an important passage from Cranston J’s judgment about the practical and democratic value of transparency (paragraph 47):

“… Right to know provisions relevant to the taking of a decision such as those in the 1972 Act and the Council’s Statement of Community Involvement require timely publication. Information must be published by the public authority in good time for members of the public to be able to digest it and make intelligent representations: cf. R v North and East Devon Health Authority Ex p. Coughlan [2001] Q.B. 213, [108]; R (on the application of Moseley) (in substitution of Stirling Deceased) v Haringey LBC [2014] UKSC 56, [25]. The very purpose of a legal obligation conferring a right to know is to put members of the public in a position where they can make sensible contributions to democratic decision-making. In practice whether the publication of the information is timely will turn on factors such as its character (easily digested/technical), the audience (sophisticated/ ordinary members of the public) and its bearing on the decision (tangential/ central)”.

Here, the dense and technical report had not been made available with sufficient time for it to be digested acted upon.

Cranston J was also clear that, had the information been made properly available, it could have made a real difference. Officers could have been prompted to rethink certain points, and decision-makers could well have been swayed: the decision was made by “a committee of politicians where the vote was not whipped. It is a very bold person who will hazard that in such circumstances a particular result is inevitable”.

Relief was therefore appropriate: “the claimant will be entitled to relief unless the decision-maker can demonstrate that the decision it took would inevitably have been the same had it complied with its statutory obligation to disclose information in a timely fashion” (paragraph 51).

The Council’s decision was therefore quashed on the transparency ground (among others). See paragraph 59:

“Here the claimant had standing to challenge a decision of his local Council. By denying him timely access to information to which he was entitled it limited his full participation in democratic decision-making. The fact that he might not be immediately affected by the proposal where he lives is not a sufficient reason to deny him the remedy he seeks. This was a serious breach by the Council of its statutory obligations. An additional factor bearing on the exercise of discretion in this case is the Council’s own behaviour in the back-dating of the website to when the WSP noise assessment was available to it. Although it did not have any consequences in the circumstances of this case, it had the potential to mislead members of the public about their right to know and to use the information disclosed. In all there is no reason to deny the claimant his remedy.”

The case is a powerful illustration of the practical value of transparency and public participation, and of how failure to comply with laws aimed at those ends can really bite.

Robin Hopkins @hopkinsrobin

Assessing the FOIA veto power

Posted on | by Robin Hopkins

For those of you still following the Prince of Wales correspondence veto saga, and who have access to law journals in print or online, you may be interested to read the casenote published in the latest issue of the Law Quarterly Review discussing the Court of Appeal judgment. The casenote is by 11KBW and Panopticon stalwart Chris Knight. The full reference is CJS Knight, ‘The Veto in the Court of Appeal’ (2014) 130 LQR 552.

Loss of personal data: £20k award upheld on appeal

Posted on | by Robin Hopkins

If you breach your legal duties as regards personal data in your control, what might you expect to pay by way of compensation to the affected individual? The received wisdom has tended to be something along these lines. First, has the individual suffered any financial loss? If not, they are not entitled to a penny under s. 13 DPA. Second, even if they get across that hurdle, how much should they get for distress? Generally, not very much – reported awards have tended to be very low (in the low thousands at most).

All of that is very comforting for data controllers who run into difficulties.

That picture is, however, increasingly questionable. “Damage” (the precondition for any award, under s. 13 DPA) could mean something other than “financial loss” – other sorts of damage (even a nominal sort of damage) can, it seems, serve as the trigger. Also, provided the evidence is sufficiently persuasive, it seems that awards – whether under the DPA or at common law (negligence) – could actually be substantial.

These trends are evident in the judgment of the Court of Appeal of Northern Ireland in CR19 v Chief Constable of the Police Service of Northern Ireland [2014] NICA 54.

The appellant, referred to as CR19, was a police officer with the Royal Ulster Constabulary. Due to his exposure to some serious terrorist incidents, he developed Post-Traumatic Stress Disorder (PTSD); he also developed a habit of excessive alcohol consumption. He left the Constabulary in 2001. In 2002, there was a burglary at Castlereagh Police, apparently carried out on behalf of a terrorist organisation. Data and records on officers including CR19 were stolen.

The Constabulary admitted both negligence and a breach of the seventh data protection principle (failure to take appropriate technical and organisational measures). The issue at trial was the amount of compensation to which CR19 was entitled.

Note the losses for which CR19 sought compensation: he claimed that, as a result of the stress which that data loss incident caused him, his PTSD and alcohol problems worsened, he lost out on an employment opportunity and that his house had been devalued as a result of threats to the property and the package of security measures that had been implemented for protection.

The trial judge heard evidence from a number of parties, including medical experts on both sides. He found some aspects of CR19’s evidence unsatisfactory. Overall, however, he awarded CR19 £20,000 (plus interest) for the Constabulary’s negligence. He did not expressly deal with any award under s. 13 of the DPA.

CR19 appealed, saying the award was too low. His appeal was largely dismissed: the trial judge had been entitled to reach his conclusions on the evidence before him.

Further, the s. 13 DPA claim added nothing to the quantum. The Court of Appeal considered the cases of Halliday (a £750 award) and AB (£2,250) (both reported on Panopticon) and concluded as follows (para. 24):

“In this case we have earlier recorded that three eminent psychiatrists gave professional evidence as to the distress sustained by CR19 as a consequence of the break-in. While accepting that the breach and its consequences in this case are of a different order to the matters considered in Halliday or AB, we conclude that the damages for distress arising from the breach of the Data Protection Act must be considered to be subsumed into the judge’s award which, while rejected as too low by the appellant, was by no means an insignificant award. The assessment took account of the distress engendered by the breach of data protection. We cannot conceive of any additional evidence that might be relevant to any additional damages for distress in respect of breach of section 4. Accordingly, we affirm the award of compensation made by the learned trial judge. However, in view of Arden LJ’s reasoning in Halliday, we conclude that the appellant must in addition be entitled to nominal damages of £1.00 to reflect the fact that there was an admitted breach of section 4 of the Data Protection Act.”

Whilst it is not strictly correct to read the CR19 judgment as affirming a DPA award for £20,000 (that award was for negligence), the judgment is nonetheless interesting from a DPA perspective in a number of respects, including these:

(i) While it was conceded in Halliday that nominal damage suffices as “damage” for s. 13(1) purposes, that conclusion looks like it is being applied more widely.

(ii) One problem in Halliday (and to an extent also in AB) was the lack of cogent evidence supporting the alleged damage. The CR19 case illustrates how evidence, including expert medical evidence, can be deployed to effect in data breach cases (whether based on negligence or on the DPA).

(iii) Unlawful acts with respect to individuals’ personal information can, it seems, lead one way or another to a substantial award. The DPA may aim to offer relatively modest awards (so said the Court of Appeal in Halliday), but serious misuse or loss of personal data can nonetheless be very damaging, and the law will recognise and compensate for this where appropriate.

Robin Hopkins @hopkinsrobin

Facebook, FOI and children

Posted on | by Robin Hopkins

The Upper Tribunal has got its teeth into personal data disputes on a number of occasions in recent months – Edem was followed by Farrand, and now Surrey Heath Borough Council v IC and Morley [2014] UKUT 0330 (AAC): Morley UT decision. Panopticon reported on the first-instance Morley decision in 2012. In brief: Mr Morley asked for information about members of the local authority’s Youth Council who had provided input into a planning application. The local authority withheld the names of the Youth Councillors (who were minors) under s. 40(2) of FOAI (personal data). In a majority decision, the First-Tier Tribunal ordered that some of those names be disclosed, principally on the grounds that it seemed that they appeared on the Youth Council’s (closed) Facebook page.

The local authority and the ICO challenged that decision. The Upper Tribunal (Judge Jacobs) has agreed with them. He found the dissenting opinion of the First-Tier Tribunal member to have been the more sophisticated (as opposed to the overly generalised analysis of the majority) and ultimately correct. The Youth Councillors’ names were correctly withheld.

In his analysis of the First Data Protection Principle, Judge Jacobs was not much bothered by whether fairness or condition 6(1) (the relevant Schedule 2 condition) should be considered first: “the latter is but a specific instance of the former”.

Judge Jacobs found that there was no sufficient interest in the disclosure of the names of the Youth Councillors. He also rejected the argument that, by putting their names on the relevant Facebook page, the data subjects had implicitly consented to public disclosure of their identities in response to such a FOIA request.

Judge Jacobs stopped short, however, of finding that the personal data of minors should never be disclosed under FOIA, i.e. that the (privacy) interests of children would always take precedence over transparency. Maturity and autonomy matter more than mere age in this context, and sometimes (as here) minors are afforded substantial scope to make their own decisions.

Morley is an important case on the intersection between children’s personal data and transparency, particularly in the social media context, but – as Judge Jacobs himself observed – “it is by no means the last word on the subject”.

There were 11KBW appearances by Joseph Barrett (for the local authority) and Heather Emmerson (for the ICO).

Robin Hopkins @hopkinsrobin